NudgePort — Simplified client approval portal
Sign inGet started

Privacy Policy

Last updated: 24.05.2026

1. Introduction

This Privacy Policy describes how Nikali Ltd. (Unified Identification Code 207724645, VAT ID BG207724645, registered in Sofia, Bulgaria), the operator of NudgePort, handles personal data in connection with the NudgePort website, web application, client portal, and related services. By using NudgePort, you acknowledge that you have read and understood this Privacy Policy.

2. Our Role

Nikali Ltd. acts as the data controller for personal data related to NudgePort accounts, website visitors, billing, customer support, security operations, and business communications.

For project data, client contact data, and approval records uploaded or entered by NudgePort customers, the customer is generally the data controller and Nikali Ltd. acts as a data processor. Processing on behalf of customers is governed by the NudgePort Data Processing Agreement (DPA).

3. Information We Collect

We collect and process the following categories of personal data:

  • Account data: name, email address, password or authentication data, agency or company name, role, and account settings.
  • Customer / client contact data: names, email addresses, company names, and contact details entered by customers when inviting client contacts to review projects.
  • Project and approval data: project names, phases, item titles, external URLs, version labels, comments and feedback, change requests, approval decisions (approved, rejected, changes requested), timestamps, and activity history.
  • Technical and security data: IP address, browser user-agent string, device and browser information, login events, portal access events, and security logs.
  • Billing data: subscription plan, payment status, Stripe customer and subscription identifiers, invoices, and payment references.
  • Notification data: email delivery records, notification preferences, and push subscription data where enabled.
  • Cookie and usage data: data collected through necessary cookies and, where enabled, analytics or preference cookies.

Important note: NudgePort stores external URLs and approval-related records. NudgePort does not store the original files, documents, videos, designs, or invoices linked through the service.

4. How We Use Personal Data

We use personal data for the following purposes:

  • To create and manage customer accounts;
  • To provide the NudgePort approval portal and related functionality;
  • To enable client portal access through secure magic links;
  • To record approvals, feedback, project activity, and version history;
  • To send client action emails and in-app or push notifications;
  • To process payments and manage subscriptions;
  • To provide customer support and respond to inquiries;
  • To maintain security, prevent abuse, and troubleshoot operational issues;
  • To comply with legal, tax, and accounting obligations;
  • To improve the service and user experience.

5. Legal Bases for Processing

We rely on the following legal bases under applicable data protection law:

  • Contract: processing is necessary to provide NudgePort and manage customer accounts under our Terms of Service;
  • Legitimate interests: to secure the service, prevent abuse, improve functionality, and communicate about service-related matters;
  • Legal obligations: for tax, accounting, regulatory compliance, and responding to lawful requests;
  • Consent: where required for optional cookies, marketing communications, or other optional processing. You may withdraw consent at any time.

6. Client Portal and Magic Links

NudgePort customers may invite client contacts to access a project portal through a secure, shareable link. Client contacts may access relevant project information and submit feedback or approvals without creating a separate NudgePort account.

Customers are responsible for sharing portal links only with intended recipients and for ensuring they have the right to provide client contact details. NudgePort stores the link access tokens (hashed) and records portal activity to maintain the approval workflow.

7. External Links and No File Storage

Customers may add links to content hosted on third-party tools and platforms, such as Google Drive, Figma, Dropbox, Canva, YouTube, Vimeo, Notion, Stripe, PayPal, and other external services.

The original linked content remains hosted by the third-party service or system selected by the customer. NudgePort stores the link and approval-related metadata (such as version labels, comments, and approval decisions), but not the original file. Availability, permissions, and security of external links are controlled by the customer and/or the third-party platform.

8. Sharing of Personal Data

NudgePort does not sell personal data. We may share personal data with the following categories of recipients, solely as necessary to provide and secure the service:

  • Hosting and database providers for infrastructure and data storage;
  • Email delivery providers for sending notifications and portal links;
  • Payment processors such as Stripe, for billing and subscription management;
  • Infrastructure and security providers for monitoring, threat detection, and operational support;
  • Support or operational tools where used to manage customer inquiries;
  • Authorities or regulators where required by applicable law or to protect our legal rights.

All service providers are engaged under appropriate confidentiality and data protection obligations.

9. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), we use appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms recognized under applicable data protection law.

10. Data Retention

We retain personal data for the following periods:

  • Account data is kept while the account is active and for a reasonable period thereafter to manage reactivation, support, or legal obligations;
  • Project, approval, and client contact data is kept while needed to provide the service or until deleted or exported by the customer, subject to the customer’s plan and applicable retention settings;
  • Billing and transaction records may be kept for the period required by applicable tax, accounting, and contract law;
  • Security logs may be kept for a limited period for security, fraud prevention, and abuse investigation purposes;
  • Backup data may remain for a limited period in accordance with normal backup lifecycle and provider retention policies;
  • Some records may be retained where necessary to resolve disputes, enforce agreements, or comply with applicable law.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Access controls limiting who can access systems and data;
  • Tenant isolation using database-level Row Level Security (RLS) to ensure customers access only their own data;
  • Hashed magic link tokens for secure, passwordless client portal access;
  • Role-based permissions distinguishing between agency users, team members, and client portal visitors;
  • TLS encryption in transit for all communications between users and the NudgePort service;
  • Audit and activity logs recording key actions for accountability and investigation;
  • Rate limiting on portal actions to mitigate abuse;
  • Service-role isolation ensuring service keys are never exposed to client-side code;
  • Security monitoring where applicable to detect and respond to threats.

12. Your Rights

Depending on applicable law, you may have the following rights in relation to your personal data:

  • Access — the right to obtain a copy of your personal data;
  • Rectification — the right to correct inaccurate or incomplete data;
  • Erasure — the right to request deletion of your personal data in certain circumstances;
  • Restriction — the right to request limitation of processing;
  • Objection — the right to object to processing based on legitimate interests;
  • Portability — the right to receive your data in a structured, commonly used format;
  • Withdrawal of consent — where processing is based on consent, you may withdraw it at any time;
  • Lodge a complaint — you have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement.

Where we process personal data on behalf of a NudgePort customer (for example, client contact details entered by the customer), we may refer your request to that customer or assist them as processor, depending on the nature of the request and our contractual obligations.

13. Cookies

NudgePort uses necessary cookies for authentication, security, and service operation. These cookies are essential for the site to function and cannot be disabled.

Optional analytics or preference cookies may be used only where enabled by you and, where required by law, with your prior consent. You can manage cookie preferences through the cookie banner or your browser settings.

14. Children

NudgePort is intended for business use by agencies, freelancers, and creative professionals. It is not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated version on this page with a revised "Last updated" date. Continued use of NudgePort after such changes constitutes your acceptance of the revised Privacy Policy.

16. Contact

For privacy-related questions or to exercise your rights, contact us at:

Email: support@nudgeport.com

Postal address: Nikali Ltd., Belite Borove 8, Sofia, Bulgaria

If you are a client contact invited by a NudgePort customer, you may also contact the customer that invited you, as they may be the controller of your project-related data.